#!/bin/sh
set -e
case "$1" in
configure)
    ldconfig || true
    mkdir -p /etc/vmsig
    chmod 0640 /etc/vmsig/vmsigd.conf 2>/dev/null || true   # carries the uid->grant policy
    mkdir -p /dev/shm/vmsig && chmod 0755 /dev/shm/vmsig     # also (re)created at boot via tmpfiles
    if [ -d /run/systemd/system ]; then
        systemctl daemon-reload || true
        systemd-tmpfiles --create /usr/lib/tmpfiles.d/vmsig.conf || true
        systemctl enable vmsigd.service || true              # enable, but do NOT start
    fi
    if [ -z "$2" ]; then
        # fresh install ($2 empty): enabled but NOT started — the operator reviews the
        # grant policy before the first start.
        echo "vmsig: review the [grant] policy in /etc/vmsig/vmsigd.conf, then: systemctl start vmsigd" >&2
    else
        # upgrade ($2 = old version): a running daemon keeps the OLD in-memory image until
        # restarted — the new build is not applied automatically. Not auto-restarted here:
        # the start is gated on the grant policy, so the operator owns the moment. try-restart
        # touches the daemon only if it is currently running (leaves a stopped one alone).
        echo "vmsig: upgraded from $2 — a running daemon still runs the old build; apply with: systemctl try-restart vmsigd" >&2
    fi
    ;;
abort-upgrade|abort-remove|abort-deconfigure)
    ;;
esac
exit 0
